From nobody Tue Apr  7 19:40:29 2026
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=quarantine dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1773299755; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ffj42Nu8ZUjtedQpt//vyckkB5jgjsnGvyFfw4jqOdw0oXKRjIm0lsfbOsKkNUSUvbYKjPQfFHCxQS4a1Woczs3H4PP2d8wNNx8drt38iehjQ8r+IHWoYXfhUvtoBO+kKVhqHkjXKIs9bHnNWXDWbscqQj8hAu46wfdvQgWULys=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1773299755;
 h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc;
	bh=b/Cx5BhQaOZNCa2vAX1kb6o68eYgtv5EzkoSngDiIJ4=;
	b=Mci3aImfINmQbCvKuPKeabYqZ+Hgp/aEheHVeFRuIL/dd+rTx0G6nqLKgcaWVSTMqTxPu9UwiZYt1SGHsMJ1V73uCXUeg/v5/mM0gC2wQNbluHQzw3LlYgRxg4nHFQNkrUzp9j8JGx14Um5eWT1HwaPzJpP5qs/HQQ8Okyo2fLs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<lulu@redhat.com> (p=quarantine dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1773299755931980.5842331412814;
 Thu, 12 Mar 2026 00:15:55 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1w0aGV-0004ta-OZ; Thu, 12 Mar 2026 03:15:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGT-0004rp-KP
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:25 -0400
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1w0aGR-00008H-PQ
 for qemu-devel@nongnu.org; Thu, 12 Mar 2026 03:15:25 -0400
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-150-GqIb6kmAOcezgR2ZeLsZgg-1; Thu,
 12 Mar 2026 03:15:17 -0400
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 75C43197768B; Thu, 12 Mar 2026 07:15:16 +0000 (UTC)
Received: from S2.redhat.com (unknown [10.72.112.170])
 by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 0A29A19540C2; Thu, 12 Mar 2026 07:15:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1773299720;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=b/Cx5BhQaOZNCa2vAX1kb6o68eYgtv5EzkoSngDiIJ4=;
 b=QBa7cqO3wmTzhwmWceHa9EuaugZEPt6+HvyQ/K3Y20GJzctuu9gxKWMW590rrcgWt+Zxku
 xM7P8XtlJ8WoV2Hc/R/q9DGSFs3yFrIPFxBWn4A3KhGzYNptiU8Hsh4+ES0NLN0Uu5rIsC
 WLZdSFrCeJiR1KsmQ8LeukUxUJRChk0=
X-MC-Unique: GqIb6kmAOcezgR2ZeLsZgg-1
X-Mimecast-MFC-AGG-ID: GqIb6kmAOcezgR2ZeLsZgg_1773299716
From: Cindy Lu <lulu@redhat.com>
To: lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com,
 lizhijian@fujitsu.com, jmarcin@redhat.com, qemu-devel@nongnu.org
Subject: [RFC v2 6/9] net/filter: Add support for filter-buffer
Date: Thu, 12 Mar 2026 15:09:34 +0800
Message-ID: <20260312071415.1836655-7-lulu@redhat.com>
In-Reply-To: <20260312071415.1836655-1-lulu@redhat.com>
References: <20260312071415.1836655-1-lulu@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=170.10.133.124; envelope-from=lulu@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -3
X-Spam_score: -0.4
X-Spam_bar: /
X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: qemu development <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1773299774871158500
Content-Type: text/plain; charset="utf-8"

Allow filter-buffer on the same vhost backend as filter-redirector,
add an internal redirector-injected packet flag, and route indev packets
through the preceding filter-buffer before they are reinjected.

Signed-off-by: Cindy Lu <lulu@redhat.com>
---
 include/net/queue.h |  5 +++
 net/filter-mirror.c | 98 +++++++++++++++++++++++++++++++++++++++++----
 net/filter.c        |  5 ++-
 3 files changed, 98 insertions(+), 10 deletions(-)

diff --git a/include/net/queue.h b/include/net/queue.h
index 2e686b1b61..213abe62ec 100644
--- a/include/net/queue.h
+++ b/include/net/queue.h
@@ -32,6 +32,11 @@ typedef void (NetPacketSent) (NetClientState *sender, ss=
ize_t ret);
=20
 #define QEMU_NET_PACKET_FLAG_NONE  0
 #define QEMU_NET_PACKET_FLAG_RAW  (1<<0)
+/*
+ * Internal marker used by filter-redirector when packets are injected from
+ * indev through filter-buffer before being reinjected.
+ */
+#define QEMU_NET_PACKET_FLAG_REDIRECTOR_INJECT (1<<1)
=20
 /* Returns:
  *   >0 - success
diff --git a/net/filter-mirror.c b/net/filter-mirror.c
index 1ff58e1d27..dabf52275a 100644
--- a/net/filter-mirror.c
+++ b/net/filter-mirror.c
@@ -233,6 +233,73 @@ static ssize_t filter_redirector_send_netdev_iov(Mirro=
rState *s,
     return filter_redirector_send_netdev_packet(s, iov, iovcnt);
 }
=20
+static NetFilterState *filter_redirector_prev_in_direction(NetFilterState =
*nf,
+                                                           NetFilterDirect=
ion dir)
+{
+    if (dir =3D=3D NET_FILTER_DIRECTION_TX) {
+        return QTAILQ_PREV(nf, next);
+    }
+    return QTAILQ_NEXT(nf, next);
+}
+
+static NetFilterState *filter_redirector_find_buffer_before(NetFilterState=
 *nf,
+                                                            NetFilterDirec=
tion dir)
+{
+    NetFilterState *iter =3D filter_redirector_prev_in_direction(nf, dir);
+
+    while (iter) {
+        if ((iter->direction =3D=3D dir ||
+             iter->direction =3D=3D NET_FILTER_DIRECTION_ALL) &&
+            object_dynamic_cast(OBJECT(iter), "filter-buffer")) {
+            return iter;
+        }
+        iter =3D filter_redirector_prev_in_direction(iter, dir);
+    }
+
+    return NULL;
+}
+
+static bool filter_redirector_inject_to_buffer(NetFilterState *nf,
+                                               const uint8_t *buf,
+                                               int len)
+{
+    struct iovec iov =3D {
+        .iov_base =3D (void *)buf,
+        .iov_len =3D len,
+    };
+    NetFilterState *buffer;
+    bool injected =3D false;
+
+    if (nf->direction =3D=3D NET_FILTER_DIRECTION_ALL ||
+        nf->direction =3D=3D NET_FILTER_DIRECTION_TX) {
+        buffer =3D filter_redirector_find_buffer_before(nf,
+                                                      NET_FILTER_DIRECTION=
_TX);
+        if (buffer) {
+            qemu_netfilter_receive(buffer, NET_FILTER_DIRECTION_TX,
+                                   nf->netdev,
+                                   QEMU_NET_PACKET_FLAG_REDIRECTOR_INJECT,
+                                   &iov, 1, NULL);
+            injected =3D true;
+        }
+    }
+
+    if ((nf->direction =3D=3D NET_FILTER_DIRECTION_ALL ||
+         nf->direction =3D=3D NET_FILTER_DIRECTION_RX) &&
+        nf->netdev->peer) {
+        buffer =3D filter_redirector_find_buffer_before(nf,
+                                                      NET_FILTER_DIRECTION=
_RX);
+        if (buffer) {
+            qemu_netfilter_receive(buffer, NET_FILTER_DIRECTION_RX,
+                                   nf->netdev->peer,
+                                   QEMU_NET_PACKET_FLAG_REDIRECTOR_INJECT,
+                                   &iov, 1, NULL);
+            injected =3D true;
+        }
+    }
+
+    return injected;
+}
+
 static void redirector_to_filter(NetFilterState *nf,
                                  const uint8_t *buf,
                                  int len)
@@ -310,7 +377,6 @@ static void filter_redirector_recv_from_chardev(NetFilt=
erState *nf,
                                                         int len)
 {
     MirrorState *s =3D FILTER_REDIRECTOR(nf);
-    bool inject_netdev =3D filter_redirector_use_inject_netdev(nf);
     ssize_t ret;
     struct iovec iov =3D {
         .iov_base =3D (void *)buf,
@@ -325,7 +391,11 @@ static void filter_redirector_recv_from_chardev(NetFil=
terState *nf,
     s->indev_packets++;
     s->indev_bytes +=3D len;
=20
-    if (inject_netdev) {
+    if (!s->outdev && filter_redirector_inject_to_buffer(nf, buf, len)) {
+        return;
+    }
+
+    if (s->out_netfd >=3D 0) {
         ret =3D filter_redirector_send_netdev_iov(s, &iov, 1);
         if (ret < 0) {
             error_report("filter redirector send failed(%s)", strerror(-re=
t));
@@ -446,16 +516,22 @@ static ssize_t filter_redirector_receive_iov(NetFilte=
rState *nf,
                                              NetPacketSent *sent_cb)
 {
     MirrorState *s =3D FILTER_REDIRECTOR(nf);
-    bool capture_netdev =3D filter_redirector_use_capture_netdev(nf);
-    bool inject_netdev =3D filter_redirector_use_inject_netdev(nf);
     int ret;
=20
-    if (s->indev || inject_netdev) {
-        return 0;
+    if (s->out_netfd >=3D 0) {
+        if (!(flags & QEMU_NET_PACKET_FLAG_REDIRECTOR_INJECT)) {
+            return 0;
+        }
+
+        ret =3D filter_redirector_send_netdev_iov(s, iov, iovcnt);
+        if (ret < 0) {
+            error_report("filter redirector send failed(%s)", strerror(-re=
t));
+        }
+        return iov_size(iov, iovcnt);
     }
=20
-    if (capture_netdev || s->outdev) {
-        if (capture_netdev) {
+    if (s->outdev) {
+        if (s->in_netfd >=3D 0) {
             return 0;
         }
=20
@@ -473,6 +549,12 @@ static ssize_t filter_redirector_receive_iov(NetFilter=
State *nf,
         return 0;
     }
=20
+    if (s->indev) {
+        if (!(flags & QEMU_NET_PACKET_FLAG_REDIRECTOR_INJECT)) {
+            return 0;
+        }
+    }
+
     return 0;
 }
=20
diff --git a/net/filter.c b/net/filter.c
index b9646b9e00..cc23e743cf 100644
--- a/net/filter.c
+++ b/net/filter.c
@@ -260,8 +260,9 @@ static void netfilter_complete(UserCreatable *uc, Error=
 **errp)
         bool buffer =3D object_dynamic_cast(OBJECT(uc), "filter-buffer");
         bool vhost_filter =3D redirector || buffer;
=20
-        if (!redirector) {
-            error_setg(errp, "Vhost is not supported");
+        if (!vhost_filter) {
+            error_setg(errp, "Vhost only supports filter-redirector and "
+                             "filter-buffer");
             return;
         }
         if (vhost_filter && ncs[0]->info->type !=3D NET_CLIENT_DRIVER_TAP)=
 {
--=20
2.52.0